ISO/IEC 27001 certification runs in two stages. Stage one is a review of the documentation and readiness. Stage two is the audit proper, in which the auditor looks for evidence that the system really works. The most common reason for failure lies not in a lack of knowledge, but in a lack of evidence. Below is the path I guide clients through before an audit.

Understand what the auditor will check

The auditor does not assess what you can talk about. They assess three things: whether the system is described, whether it is implemented and whether it is maintained. You have to be able to show each of them with examples.

  • Described: you have a scope, a policy, a risk analysis and the required procedures.
  • Implemented: the controls actually work, and people know what to do.
  • Maintained: there are reviews, records, corrections and learning from incidents.

The most common nonconformities I see are not about great technical gaps. They are about a lack of records. Something happened, but nobody noted it down, so for the auditor it did not happen.

Set the scope and context

Start with a clear definition of the scope of the Information Security Management System. The scope determines which locations, processes and systems are subject to certification.

  • Describe the context of the organisation and the interested parties.
  • Define the boundaries of the scope and justify any exclusions.
  • Tie the scope to real business processes, not to wishes.

A scope that is too broad raises the cost and the risk of nonconformity. One that is too narrow raises the auditor’s suspicions. What matters is an honest scope.

Carry out a risk analysis and prepare the Statement of Applicability

This is the heart of ISO 27001. The risk analysis shows why you chose these particular controls from Annex A.

  1. Inventory the assets and processes.
  2. Identify the threats and vulnerabilities.
  3. Estimate the risk using a consistent method.
  4. Plan the risk treatment.
  5. Justify the selection or exclusion of controls in the Statement of Applicability.

The Statement of Applicability must agree with the risk analysis and with the actual state. A gap between paper and reality is a straight road to a nonconformity.

Gather the evidence before the auditor arrives

This is the stage companies most often underestimate. The system may work, but without records there is no way to prove it.

Prepare, among other things:

  • the risk register and the treatment plan,
  • records of granting and revoking permissions,
  • logs of backup reviews and restore tests,
  • an incident register together with the actions taken,
  • attendance lists from security awareness training,
  • records of reviews at providers.

Put the documentation in order

The auditor has to quickly find the current versions of documents. Take care of document control: versioning, owners and review dates. Chaos in versions can spoil the good impression of a well-functioning system.

Perform an internal audit and a management review

These are mandatory requirements and, at the same time, the best dress rehearsal.

  • An internal audit carried out by a person independent of the audited area will catch gaps before the external auditor does.
  • The management review engages leadership and documents decisions about objectives, resources and improvement.

Both produce records the auditor will directly expect. Treat them seriously, not as a formality to tick off.

Close nonconformities and rehearse the conversations

Finally, turn the gaps you found into corrective actions with deadlines and responsible people. Then prepare the team.

  • Warn employees that the auditor may ask questions.
  • Teach them a simple principle: tell the truth and show how you do your job.
  • Do not teach ready-made phrases. An auditor senses recitation from a mile away.

Summary

A well-prepared ISO 27001 audit is not stress, but confirmation of the order that pays off for you anyway. The key is three elements: an honest risk analysis, controls matched to that risk, and evidence that everything really works.

If you want to go through this with someone who has sat on both sides of the audit table, take a look at our ISO 27001 audit and comprehensive ISO 27001 implementation. We start with a trial audit so that the certification day is already just a formality.